59% of staff admitted at some point to have taken company information from a corporate network or devices, which matches up to known industry trends.
Common Staff Data Exfiltration Tactics
Often businesses have their heads in the sand when comes to managing their insider threat, although some do turn to sophisticated IT Data Loss Prevention (DLP) solutions as a silver bullet for managing this risk. However, DLP solutions would be infective against the final four bulleted 'Staff Data Exfiltration' methods listed above. Particularly the use of cyber tools to steal company information digitally has been democratised by the availability of toolkits on the dark web. For example, steganography toolkits, which enable cybercriminals to encode information into an image or text, can be downloaded for free and guarantee an undetectable route for getting information out of the company network.
- Digital; email, uploading to cloud services and copying to external storage (11%)
- Using steganography or encryption tools to hide exfiltration (8%)
- Printing information (11%)
- Handwriting copying information (9%)
- Photographing information (8%)
- Personal Work (19%)
- Customer Information i.e. contact details, confidential market information, sales pipeline (11%)
- Company Assets i.e. passwords to subscription services, company benefits (7%)
The Motivation for staff taking Information?
- Value for their future career success in their next role (12%)
- To keep a record of their work (12%)
- Benefit their career (10%)
- Financial, specifically paid to do so by an outside third party (8.5%)
Deep Secure CEO Dan Turner concluded “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016. Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he continued.
The Cost of Staff Data Thefts
The theft of corporate information can hurt business competitiveness and future profit margins, and there are significant financial losses which could be incurred should staff take personal data on mass. UK supermarket giant Morrisons lost a landmark data breach court case in December 2017 took a financial hit after a disgruntled Morrisons' employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. With the GDPR coming into force just over a year ago, the Information Commissioner's Office is now empowered to fine British businesses millions of pounds for mass personal data losses. The Morrisons court case demonstrates UK companies will be brought to book for staff malicious data thefts.